What Is a Dictionary Attack? A Quick Guide

Learn how to recognize and fight an attempt to steal your passwords.

Damjan Jugovic Spajic Image
Updated:

June 10,2022

DataProt is supported by its audience. When you buy through links on our site, we may earn a commission. This, however, does not influence the evaluations in our reviews. Learn More.

We’ve been using the internet to complete financial transactions and even download our government-issued documents for some time now. Bad actors are well aware of this, so it’s no surprise that dangers lurk from almost every corner of the Web these days. 

Various attacks are used to breach network defenses, one of which is a dictionary attack. This type of hacking was more successful in the past, but even today, some people have their passwords stolen by this hacking method. But, what is a dictionary attack?

In this article, we’ll go through the definition of a dictionary attack, explain how it works, and offer tips on protecting yourself from it

The Definition of a Dictionary Attack

A dictionary attack is a hacking method attackers use to penetrate password-protected systems. Attackers use “dictionary lists” made of common words or phrases and enter them as passwords in the hope of getting a match. All these words are commonly used in passwords, so if your pass goes something like “letmein” or “password,” you might be in trouble. 

In short, the simplest dictionary attack definition would be “an illegal attempt of acquiring a user’s password by entering the words from a customized dictionary list as a password.”

These attacks sometimes work because many people still use weak passwords that use common words and expressions.

The list of words and phrases can be customized depending on the region. So, the passwords may often include popular sports teams’ names and common terms from the popular culture of a particular group or country. 

One dictionary attack example would be listing off the popular bands or sports player names in hopes of catching someone out. These attacks often target websites that haven’t ensured that their users have to choose a more complex password, which has at least seven or eight characters and includes numbers and capital letters.

How Dictionary Attacks Work

All words from the list are used while the attacker tries to penetrate a computer system or a file. If a user’s password is on the “dictionary list” and there is no other layer of protection, like multi-factor authentication, their account will likely get compromised

However, if a user comes up with a password that’s a combination of random characters,  numbers, uppercase, and lowercase letters, it is improbable that the breach will happen. Therefore, if you have a strong password, a dictionary attack shouldn’t really concern you.

The dictionary attack list is comprised of words and numbers that the users are expected to use when they want to set a simple, easy-to-remember password. So, if someone from Detroit innocently chooses the password ‘DetroitTigers123’, the chances are that their “unique” password could easily be on the “dictionary list.”

Some websites are now informing users that specific passwords have been compromised and that they should be replaced. In other words, your current password could easily be added to the “dictionary list” at some point.

When it comes to software, dictionary attacks are usually carried out via dictionary attack programs or brute-force tools such as Aircrack-ng or John the Ripper. These processes are automated, as manually doing everything would take forever. 

The attacks can be performed either while the targeted device is online or offline. There are several ways to prevent attackers in their attempt to hack into your device while it’s online. 

Firstly, after a few attempts, you might get a notification that someone is trying to log into your account. Often, the attacker can be blocked from trying to guess the password because there is a set limit on unsuccessful password attempts

An offline dictionary attack is more likely to be successful. The only thing the hacker needs to take hold of is the password storage file, and then if they’re lucky, they can get your password without worrying that they will be locked out of the account while trying to hack it. There will be no notifications informing the user that someone is trying to log into their account, nor will there be a Captcha test to pass.

Dictionary Attack vs. Rainbow Table Attack vs. Brute Force Attack

The main difference between dictionary attacks and regular brute force attacks is that the latter employs all possible combinations of characters until it finds a matching password. When it comes to dictionary attacks, hackers use a much smaller list of possible passwords targeted at specific victims. 

There are instances when a hacker has obtained a password for a specific account but hasn’t acquired the email for it. In that case, the hacker will try to apply that password to a set of email addresses until they’ve succeeded. This is called a reverse brute-force attack, sometimes mistakenly referred to as a reverse dictionary attack. 

While dictionary attacks work like a guessing game where many potential passwords are used until the attacker successfully logs in, the rainbow table attack is a password-cracking attempt.

Applications that store passwords do not store them in plaintext; they’re encrypted using hashes. The password you chose is saved as a hash - the next time you type in your password, the system will recognize it as a specific hash. If it matches the one you set, you can log in

Rainbow table attacks work toward cracking these password hashes.

The rainbow table stores hash values for the plaintext, and if bad actors take hold of this table, they can simply compare them and use the information to crack passwords with it. 

This type of attack can occur if a hacker comes across an application with poor security, which will allow them to simply steal the password hashes.

Getting to the password hashes can also be achieved through the vulnerable company’s Active Directory. The success rates of these attacks dropped drastically after the introduction of a process known as salting hashes.

How To Prevent a Dictionary Attack

Whether you’re an individual user or a business owner who has to think about their employees’ online safety, it’s crucial to stay vigilant at all times.

A few tips can help individuals and businesses train themselves and their employees to develop stronger passwords.

For instance, passphrases are way harder to crack than regular passwords. Mixing in symbols makes it even better, though. So, instead of choosing a password like “Marigold87,” try a phrase like “SheLikesPudding,” but then make it better by mixing in symbols to get something like“$h3L1k35Pudd1ng#.”

This way, we can remember the phrase, but it is mixed with different symbols, characters, and numbers, making it extremely hard to be hacked by a dictionary password attack. 

Never use one-fits-all passwords. If only one of your accounts falls prey to a cyberattack, so will all the remaining ones. Nowadays, people often have multiple accounts across many platforms, so remembering all of the passwords is not an easy job. 

For this reason, many have started using password managers to protect their important login details. Your passwords will be saved, and you’ll have an option to log in with one click, so you don’t have to set a simple password. A dictionary attack will not pose a threat since these programs will create very complex and long passcodes that even hackers on quantum computers would have trouble breaking.

Your email and account names on various websites shouldn’t be similar. If someone wants to hack your account, they cannot do it without your email address or some other login information. If the email address for your account consists of your full name, make sure that your username is not the same. 

Other means of protection companies and websites can use to protect themselves from password stealing:

  • Multi-factor authentication, such as biometrics,
  • Password encryption,
  • Captcha,
  • Setting a limit on the number of login attempts during a specific time,
  • Blocking users from using specific passwords that are known to be compromised.

Bottom Line 

Over the years, as people got more tech-savvy, traditional dictionary attacks became less and less useful for hackers.

Some users still opt for simple passwords, though, which is how they end up hacked. If you’re thinking  “What is a dictionary attack good for if people now pay more attention to their passwords?” remember that QWERTY and similar “secure” passcode ideas still have many fans in 2022.

Besides, this is not the only attack out there - there’s a long list of threats, including new ones that are developed regularly. Data from 2022 shows that the overall damage caused by cyberattacks amounts to $6 trillion, so it’s vital to remain vigilant.

Luckily, precautions can be taken to almost completely rule out the possibility of losing your password to this form of threat. Remember - don’t use the same password everywhere; try to utilize both uppercase and lowercase letters, mix in numbers, and use passphrases and two-factor authentication. It won’t guarantee that you’ll not get hacked, but it will certainly make it much harder for bad actors.

FAQ
What is password salt?

Pieces of code (typically strings of 32 or more characters) added to passwords before they get hashed are called cryptographic salt. They make it harder for hackers to obtain our passwords.

What is a dictionary attack example?

One of the dictionary attack examples is developing a “dictionary list” of all the words associated with the victim’s interests and then carrying out an attack based on inputting those until a match is found.

Is a dictionary attack always faster than a brute force attack?

Brute force attacks are, in fact, faster than a dictionary attack. The process of password validation takes less time than preparation and reading the passwords from the dictionary file. That said, brute force attacks have a much broader scope, so depending on how it’s been set up, it can take much longer to try out all possible password combinations.

There are no comments yet
Leave your comment

Your email address will not be published.*